fun with XBMC

We’ve been spending some time playing around with XBMC as this platform is starting to get quite popular.

We found a way to gain shell on xbmcbuntu and raspbmc devices reliably. The out-of-the-box configuration of these devices is part of the attack. We’re currently working on finding a way to do the attack with XBMC installed on any platform.

The vulnerability pre-requisites are:

xbmcbuntu or raspbmc

Allow control of XBMC via HTTP with default credentials (enabled to control XBMC with their phone remote – often used.)

At any rate we will be posting the working attacks on xbmcbuntu and raspbmc shortly.

Oh, we also found a drive file contents disclosure vulnerability in xbmc, pre-requisite being allow control of XBMC via HTTP enabled with default credentials.